One Identity Active Roles OverviewUNIXBusinessApplication

One Identity Active Roles is the #2 ranked solution in top Active Directory Management tools and #7 ranked solution in top User Provisioning Software. PeerSpot users give One Identity Active Roles an average rating of 8.0 out of 10. One Identity Active Roles is most commonly compared to Azure Active Directory (Azure AD): One Identity Active Roles vs Azure Active Directory (Azure AD). One Identity Active Roles is popular among the large enterprise segment, accounting for 68% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 18% of all views.
Buyer's Guide

Download the User Provisioning Software Buyer's Guide including reviews and more. Updated: November 2022

What is One Identity Active Roles?

One Identity Active Roles is a highly regarded solution for Active Directory (AD) security and account management. One Identity Active Roles will enhance group, account, and directory management while eradicating the need for manual processes. The end result is a significant increase in the overall speed, efficiency, and security of the organization.

Using One Identity Active Roles, users can:

  • Easily increase and strengthen native attributes of Active Directory (AD) and Azure AD.

  • Quickly unify and automate group and account management while protecting and securing critical administrative access.

  • Free up valuable resources to concentrate on other IT tasks, fully confident that your user permissions, critical data, and privileged access are safe and secure.

Managing accounts in AD and Azure AD can be tremendously challenging; continually keeping these important systems safe and secure presents an even greater challenge. Traditional tools can be inefficient, error-prone, and very disjointed. In today’s robust marketplace, organizations are finding it somewhat difficult to keep pace with the constant access changes in a hybrid AD ecosystem. Additionally, there are significant security issues to consider (government compliance, employee status/access changes, and other confidential business requirements). And, of course, there is a requirement to properly manage Active Directory and Azure Active Directory access in addition to managing all the other numerous SaaS and non-Windows applications that organizations use today.

Users can easily automate all of these tedious, mundane administrative tasks, keeping their systems safe and error-free. Active Roles ensures users can perform their job responsibilities more effectively, more efficiently, and with minimal manual intervention. Active Roles was created with a flexible design, so organizations can easily scale to meet your organizational needs, today, tomorrow, and in the foreseeable future.

Reviews from Real Users

A PeerSpot user who is a Network Analyst at a government tells us, “It has eliminated admin tasks that were bogging down our IT department. Before we started using Active Roles, if one of our frontline staff members deleted a user or group, it could take several hours to try to reverse that mistake. Whereas now, the most our frontline staff can do is a deprovision, which just disables everything in the background, but it's still there. We can go in and have it back the way it was two minutes later. Instead of it taking two hours, it only takes two minutes.

Becky P., Sr Business Analyst at George Washington University, shares, “In addition, with the use of workflows and the scheduled tasks, we were able to automate and centrally manage a number of the processes as well as utilize them to work around other product limitations. Those include, but are not limited to syncing larger groups, which have 50,000 plus members, to Azure AD. We sync up to Azure AD using ARS. If we had not already had ARS in place, it would have been impossible for us to have done so in the time period we did it in. We did it in under six months. ARS probably saves us at least two weeks out of every month. It's reduced our workload by 50 percent, easily.”

One Identity Active Roles was previously known as Quest Active Roles.

One Identity Active Roles Customers

City of Frankfurt, Moore Public Schools, George Washington University, Transavia Airlines, Howard County, MD. See all stories at OneIdentity.com/casestudies

One Identity Active Roles Video

One Identity Active Roles Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Becky Phares - PeerSpot reviewer
Sr Business Analyst at George Washington University
Real User
Leaderboard
Flexibility and extensibility of the platform allowed us to achieve far more efficiencies than we ever expected
Pros and Cons
  • "With the use of the sync service we were able to import information from multiple external systems and populate them within our space and leverage them for downstream systems."
  • "There are some features that we think should be included in their next release. We think these things would take them to the next level: the ability to completely force or limit any dynamic group processing to specific servers, change-tracking reporting of virtual attributes, and the ability to use files as inputs to automation workloads. These things have also been talked about. Knowing them, they're probably working on them."

What is our primary use case?

Our primary use case for ARS is for the ease of delegating administrative access and the ability to limit direct access to the domain controllers. Those were the primary purposes for purchasing it. We do much more with it now, probably more than anyone else.

We're still working through that primary use case. But in addition to that, over the course of the last seven years, we've been able to leverage ARS to allow us to do a lot more and be more efficient. We use it for dynamic groups. We automatically group users together by department, reporting structure, etc., to leverage them for access, authorization, and authentication. And we automatically group computer objects for management authorization.

We have also started leveraging ARS as an identity platform. It was an interim solution until we move over to our final solution, for which we're going through vendor selection right now. The way we use it for identity is that we use custom scripts and workflows and scheduled tasks. We were able to migrate off of our legacy identity platform and move everything we currently do into ARS.

While migrating to ARS, we also implemented role-based access for the administrative users and customized views for each role in ARS, in the web interface. So if you're a level-one support, you only see the tasks that you are allowed to do, versus if you're a full-blown administrator, you see everything.

In addition, we use it for account creation at the university. We expose native Azure AD user group properties to assist with support increase. We provision and de-provision applications, and we create the necessary reports.

How has it helped my organization?

We reduced the development cycle for modifications to code, which enabled us to easily integrate and onboard services, applications, and areas of the university that were not previously centralized. We just centralized Law, for instance. 

We also have real-time alerting for failed tasks, which has reduced the troubleshooting tickets, user frustration, and allowed us to, in some cases, address the issue before it's even realized by the customer. In our previous system, if a task failed, we didn't know about it until the next day. Now, if a task fails, we're immediately notified by the system. That's how we're often able to clear it before the user ever even knows anything impacted them.

In addition, with the use of workflows and the scheduled tasks, we were able to automate and centrally manage a number of the processes as well as utilize them to work around other product limitations. Those include, but are not limited to syncing larger groups, which have 50,000-plus members, to Azure AD.

We sync up to Azure AD using ARS. If we had not already had ARS in place, it would have been impossible for us to have done so in the time period we did it in. We did it in under six months. If we had been migrating to a whole new platform, or an identity system, the way that things were, we would not have been able to do that in six months. ARS saved us. It was our bridge between an outdated solution, one that had not been matured. It gave us that time to breathe so that we could find the right solution for us. ARS won't go away, it will just stop doing the identity pieces. We will continue to use ARS.

ARS probably saves us at least two weeks out of every month. It's reduced our workload by 50 percent, easily.

We were able to introduce automated role-based provisioning for the first time, because we had ARS. We introduced role-based access. We introduced birthright access. Those had never been done before. We took ARS and turned it into an identity platform as our interim solution. That enabled us to eliminate Oracle Identity Manager completely. Per user, automated provisioning saves a couple of hours per week.

It has enabled staff to focus on more important IT initiatives. Because it is dependable, and because there aren't any issues with it, it allows the operational staff to also be development staff. A lot of our time has been freed up so that we can do things like interview vendors, come up with a logical strategy, and things of that nature. So ARS has certainly assisted in us being able to do that. We didn't reduce resources. Rather, time was freed up so that we could focus on more important things.

It also reduces risk because we use it to leverage dynamic groups, and with a dynamic group, if the person is no longer in the feed coming from the HR system, then that person is immediately and automatically removed from the group. We don't have to wait for a human being to go and look in every single group to see if that person is in there. It's a matter of internal best practice, ensuring that we meet the requirement to have least access.

What is most valuable?

With the use of the sync service we were able to import information from multiple external systems and populate them within our space and leverage them for downstream systems.

ARS also gives you a single pane of glass to manage AD and Azure AD. One of the things that we really like is that we can get to everything from ARS if we need to. So unless you are a system admin, there's no reason for you to go into Azure AD, because we have it set up so that everything syncs up with Azure AD. It gives us a level of confidence that things are matching from a governance perspective. We're trying to mature. I don't know that ARS will get us to our final destination, but it is helping us govern what we can see.

What needs improvement?

We would like to see 

  • extension of change-tracking auditing capabilities, especially in relationship to the virtual attributes 
  • more flexibility with group families
  • integration with cloud database path solutions
  • better integration with Azure AD; it integrates, but it could be better.

These are all things that our tech team has talked to their tech team about. And they're extremely responsive. 

In addition, there are some features that we think should be included in their next release. We think these things would take them to the next level: the ability to completely force or limit any dynamic group processing to specific servers, change-tracking reporting of virtual attributes, and the ability to use files as inputs to automation workloads. These things have also been talked about. Knowing One Identity, they're probably working on them.

Buyer's Guide
User Provisioning Software
November 2022
Find out what your peers are saying about One Identity, SailPoint, Softerra and others in User Provisioning Software. Updated: November 2022.
656,474 professionals have used our research since 2012.

For how long have I used the solution?

We've been using One Identity Active Roles since around 2013.

What do I think about the stability of the solution?

Maintenance is standard and periodic. There may be a release or update that comes along, but other than that it's a very stable tool and doesn't require much maintenance at all. It's probably one of those grunt tools that most would typically consider ubiquitous. However, we think about it because we're using it for more than what it was intended to be used for.

What do I think about the scalability of the solution?

We haven't had any problem at all, so far, with scalability. The only thing that we really saw was that syncing larger groups is a problem when we try to sync to Azure.

ARS went from just being our AD management tool to being our identity system, and it will continue to be that for the next 12 months. When we pick up and move the identity pieces out of ARS, it will remain the workhorse to keep all these things in sync.

We're pulling the identity components out because ARS is not an identity platform. It's not meant to be one. It's not robust enough to handle it all. If we continue to customize and build it out, we'd be building our own identity tool and that's not a good path to go down.

At last count we had around 50 users of ARS. They're either our middleware tech team, the CIS admins, including AD, Azure, etc., or it's our level-one support team. They use it to reset 2FA and to reset passwords. We built a custom interface for them.

How are customer service and support?

Excellent support. They truly are a partner. They want to be a partner, a collaborator. Their number-one goal is to solve people's problems, in the space of identity. That's really good. 

In all of these years, we've never had any problems. As a matter of fact, they are very proactive and always reaching out saying to us, "How can we help? How can we help?" We've had excellent service from them.

Which solution did I use previously and why did I switch?

We eliminated Oracle Identity Manager from our environment. Unfortunately, OIM was stood up about nine years ago but proved to require a lengthy life cycle to onboard applications and move to role-based provisioning, so we never moved beyond the first phase. We picked everything up out of that system and we created, if you will, a brand new ARS to handle everything that used to be in there. If OIM would choke, we would have to do constant reboots. We don't have any of that anymore now that we are in ARS. We haven't put a ticket in for a reboot in over a year, since we migrated.

We've been using ARS for our identity platform for a little over a year, and it was the right thing to do at the time. It could handle what we were doing, because what we're doing is actually very limited.

How was the initial setup?

I wasn't here for the initial setup in 2013, so I can't speak to that. I'm not part of the technical team that is in the process of doing the upgrade to 7.4.

But you can do deployment with two to three people. I know that from knowing the size of our team and who's doing it. If you've got two to three knowledgeable, skilled people, that's all it takes.

What was our ROI?

There has been return on investment in the time savings, although I can't put a number on it.

Which other solutions did I evaluate?

We looked into other options. The problem was that we needed to move quickly because OIM was out of maintenance. As a team we decided, "We have a tool here that can do this. We just need to make it do it". This provided the additional time we needed to decide on the right solution for access management and governance.

ARS is very clean and very easy to use. Sometimes, getting down to the level of detail that you need to see can be challenging, but its ease of use is comparable to any Microsoft tool or any other tool that's out there.

What other advice do I have?

If you're going to implement it out-of-the box, off-the-shelf, exactly as it's meant to be, you should be able to do it on your own. It's pretty straightforward. If you intend to do anything else with it, a good integrator is key.

The biggest lesson we've learned is that the flexibility and the extensibility of this platform allowed us to achieve far more efficiencies than we ever expected. What became the short-term certainly isn't going to be the long-term, but it proved credibility here, and that was what was really important. It gave us the credibility that we could do what we said we were going to do: take us off of a legacy tool that was broken, make things more efficient, and close the gaps until we could put in the full-blown solution.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Network Analyst at a government with 501-1,000 employees
Real User
Top 20
Deprovision option allows us to reverse any accidental deletions
Pros and Cons
  • "Instead of deleting accounts, we like the deprovision option so that we can reverse any accidental deletions. It also gives a higher level of quality control in terms of enforcing any number of variables, such as making sure that an account has a description entered before the account can be created. We can backtrack and know the history of it that way."
  • "I've had a difficult time getting it to cooperate with Azure in the cloud and, while the support staff are very good and very knowledgeable, what they assist with just on a call doesn't go deep enough to help with a number of issues. The answer that comes back is that we'd have to start an engagement with Professional Services, which is fine but that takes time to schedule and it takes budget."

What is our primary use case?

We started using Active Roles because we wanted protection against user errors by our frontline service desk.

We have an on-premises solution.

How has it helped my organization?

Instead of deleting accounts, we like the deprovision option so that we can reverse any accidental deletions. It also gives a higher level of quality control in terms of enforcing any number of variables, such as making sure that an account has a description entered before the account can be created. We can backtrack and know the history of it that way.

It has also eliminated admin tasks that were bogging down our IT department. Before we started using Active Roles, if one of our frontline staff members deleted a user or group, it could take several hours to try to reverse that mistake. Whereas now, the most our frontline staff can do is a deprovision, which just disables everything in the background, but it's still there. We can go in and have it back the way it was two minutes later. Instead of it taking two hours, it only takes two minutes.

In addition, it reduces risk by enforcing stronger and more complex passwords that not only conform but go above and beyond the default recommendations from our Microsoft policy. It makes sure that there's a certain level of completion with anything created or provisioned through ARS. It enforces compliance, and that is definitely helpful.

For how long have I used the solution?

I've been using One Identity Active Roles for about five years.

What do I think about the stability of the solution?

It's a stable product. We have very few issues with it.

What do I think about the scalability of the solution?

Up until our migration to Office 365 and Azure, our Active Roles architecture was very static. We didn't really have to scale it out at all during that time. The only scalability exercise that we've done is trying to adapt to Azure in Office 365, and it's a challenging process to do that.

How are customer service and technical support?

The product itself is fine and works well. I've had a difficult time getting it to cooperate with Azure in the cloud and, while the support staff are very good and very knowledgeable, what they assist with just on a call doesn't go deep enough to help with a number of issues. The answer that comes back is that we'd have to start an engagement with Professional Services, which is fine but that takes time to schedule and it takes budget. And during all that, you have a delay in getting a particular part of the platform working properly.

I've worked with several One Identity support folks and they're all very knowledgeable and pleasant to deal with. But sometimes I get the feeling that their hands are tied with how much support they can give me for a specific task because it gets into that gray area of what's break/fix and what goes off to Professional Services. If it falls in that gray area, it's hit or miss whether you're going to get support from your first call or whether you have to wait until you can dedicate a whole day to it.

Support could benefit from helping with a broader area of ideas on a first-call-resolution type of model, rather than just focusing on break/fix issues. They should also help with configuration issues.

How was the initial setup?

The process was complex. We had the help of an integrator from Quest, back then. We had him come onsite and work with us. There is definitely a learning curve when it comes to setting up templates. It's a complex product, but it's good once you get the hang of it.

The initial deployment took about a couple of weeks, but that was when everything was still on-premises. There wasn't any Office 365 or Azure back then. In terms of getting our Active Roles to cooperate with Azure now, I've been struggling with that, on and off, for over a year now. That's not necessarily a fault of One Identity. Their support is partially to blame for that, but a lot of it is on my shoulders too, due to the fact that I have other responsibilities at my workplace.

We have about eight admin staff who use Active Roles daily, and pretty much all day, for user functions. We don't have end-users with any control over delegation through Active Roles, although that might be something that we explore later; we might allow some office administrators to do various functions.

Which other solutions did I evaluate?

There are a lot of other benefits that we take advantage of that are above and beyond the native Active Directory functions that Microsoft provides. There's no comparison between Active Roles and the native Microsoft tools. You can customize the interface so that you can create a user account much more quickly. Active Roles also gives you a really nice audit log of when a user account was created and of any changes that happen to that account after the fact, as long as you do those changes within Active Roles. It's a really nice way to have a full view of the lifetime of an object created through Active Roles. It's much better than the native tools.

We researched various solutions before we narrowed in on what was Quest, back then. At that time we were going through a migration from an old Microsoft domain to a new Microsoft domain and we are using a different Quest product, but we haven't evaluated any other products.

What other advice do I have?

It is a good tool and anybody who works with Microsoft Active Directory and Azure can definitely benefit from using Active Roles. But it can be challenging to get Active Roles and Azure to play nicely together, depending on how your company is configured.

For some organizations, I could see that the product could help move staff to more important IT initiatives, but we don't use it at a level that it would help us in that capacity.

The big lesson learned—and it would depend on various people's skill levels or proficiency— for a new implementation where you're working with Azure and not Office 365, would be to budget for at least a one- or two-day session with Professional Services. That would save you a lot of time, and in terms of hourly costs, you would actually probably end up saving money by buying the Professional Services session.

I am in the process of scheduling a meeting with One Identity Professional Services to start using Active Roles for migration from AD to Azure AD. We've tried to mesh our Active Roles implementation with our new Azure setup and it's been challenging. Added support is definitely needed to get over the last few humps there.

I do find it a very useful tool. I have researched other players in the field and there's not a lot out there. Active Roles has the edge. I don't see us moving to a different product, but the biggest frustration has been getting enough support out of support.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free User Provisioning Software Report and find out what your peers are saying about One Identity, SailPoint, Softerra, and more!
Updated: November 2022
Buyer's Guide
Download our free User Provisioning Software Report and find out what your peers are saying about One Identity, SailPoint, Softerra, and more!